BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Iran’s MuddyWater Hacks with UDPGangster Malware via Phishing

Iranian hacking group MuddyWater deploys UDPGangster backdoor malware using UDP for command-and-control in attacks targeting Turkey, Israel, and Azerbaijan via malicious macro-enabled Word documents

  • An Iranian Hacking group called MuddyWater is using a new backdoor Malware named UDPGangster that exploits UDP for command-and-control operations.
  • The malware targets systems in Turkey, Israel, and Azerbaijan through spear-phishing emails with malicious Microsoft Word attachments.
  • UDPGangster employs multiple anti-analysis techniques to detect virtual environments and avoid detection before collecting data and executing commands via UDP connections.
  • The infection begins when victims enable macros in Word documents that run embedded VBA scripts to deploy the backdoor.
  • The activity follows recent attacks linked to MuddyWater involving another backdoor, MuddyViper, targeting various sectors within Israel.

An Iranian cyber espionage group known as MuddyWater has been observed deploying a new backdoor called UDPGangster since late 2025. This malware uses the User Datagram Protocol (UDP) for its command-and-control (C2) communications and primarily targets users in Turkey, Israel, and Azerbaijan, according to Cybersecurity researchers.

- Advertisement -

The attack method begins with spear-phishing emails that impersonate entities such as the Ministry of Foreign Affairs of the Turkish Republic of Northern Cyprus. These messages include a ZIP file attachment containing a Microsoft Word document named “seminer.doc,” which prompts recipients to enable macros. Activating the macros runs a VBA script that secretly executes the UDPGangster payload. The script also displays a decoy image, in Hebrew, related to telecom outages in Israel to distract victims.

“The macro uses the Document_Open() event to automatically execute, decoding Base64-encoded data from a hidden form field and writing the decoded content to C:\Users\Public\ui.txt,” explained security researcher Cara Lin. “It then executes this file using the Windows API CreateProcessA, launching the UDPGangster payload.”

Once active, UDPGangster establishes persistence by modifying the Windows Registry and incorporates a variety of anti-analysis techniques. These include checks for debugging tools, Sandbox environments, virtual machines, available system memory, and network adapter information. It also scans for known virtualization software processes and environment markers, ensuring it operates only in real user environments.

After confirming it is not under analysis, the malware collects system information and communicates with a remote C2 server at IP address 157.20.182.75 over UDP port 1269. Through this channel, attackers can run commands, transmit files, update the malware, and deploy additional payloads.

- Advertisement -

This campaign coincides with recent attacks by MuddyWater that delivered another backdoor called MuddyViper. Those attacks affected sectors including academia, engineering, local government, manufacturing, technology, transportation, and utilities within Israel.

Security experts caution users to be wary of unsolicited documents that request macro activation and highlight the sophisticated evasion tactics used by UDPGangster. Further details on the malware’s behavior and mitigation strategies are available according to Cara Lin.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Cambridge: Ethereum Energy Intensity Low, Overall Use High

Ethereum consumes roughly 7.87 GWh annually, the second-lowest energy intensity per market value among...

Saylor and Back oppose BIP-110 fork over Bitcoin security fears

Michael Saylor and Adam Back have publicly opposed BIP-110, a temporary Bitcoin fork proposal...

China, India groups target Pakistani police in cyber espionage

Suspected China- and India-aligned threat actors targeted Pakistani law enforcement in a sustained cyber...

AMD Stock Dips 10% Amid AI Volatility Ahead of Q3 Earnings

AMD stock fell nearly 10% from $580 on June 30 to roughly $516 by...

Bitcoin Creator Back Warns BIP-110 Data Limit Could Split Network

Adam Back said Bitcoin has "robustly rejected" BIP-110, arguing the proposal conflicts with the...

Must Read

Top 10 Best Blockchain Games

If you want to know about the best blockchain games then read this article carefully. We listed the best games you can play and...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading